Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 736924 (CVE-2020-17507)

Summary: <dev-qt/qtgui-5.14.2-r1: Buffer Overread (CVE-2020-17507)
Product: Gentoo Security Reporter: John Helmert III (ajak) <jchelmert3>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: qt
Priority: Normal Keywords: CC-ARCHES, PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://codereview.qt-project.org/c/qt/qtbase/+/308496
See Also: https://github.com/gentoo/gentoo/pull/17183
Whiteboard: A4 [glsa+ cve]
Package list:
dev-qt/qtgui-5.14.2-r1
Runtime testing required: ---

Description John Helmert III (ajak) 2020-08-13 01:54:39 UTC
CVE-2020-17507:

An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.

Patch: https://codereview.qt-project.org/c/qt/qtbase/+/308496/2/src/gui/image/qxbmhandler.cpp
Comment 1 Sam James archtester gentoo-dev Security 2020-08-20 11:06:05 UTC
ping
Comment 2 Sam James archtester gentoo-dev Security 2020-08-20 12:36:14 UTC
Chiitoo, I just had a look, and it seems like Debian backported it to 5.14.x too: https://sources.debian.org/patches/qtbase-opensource-src/5.14.2+dfsg-6/CVE-2020-17507.diff/

Much smaller, interestingly.
Comment 3 Chiitoo gentoo-dev 2020-08-20 16:58:07 UTC
(In reply to Sam James from comment #2)
> Chiitoo, I just had a look, and it seems like Debian backported it to 5.14.x
> too:
> https://sources.debian.org/patches/qtbase-opensource-src/5.14.2+dfsg-6/CVE-
> 2020-17507.diff/
> 
> Much smaller, interestingly.

I guess we could do that too.

They don't seem to bother with patching the test parts, and I'm not entirely sure if we use those parts either in any situation...
Comment 4 Larry the Git Cow gentoo-dev 2020-08-22 18:52:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=621b799854a30f790193cf9f6177cb297048412a

commit 621b799854a30f790193cf9f6177cb297048412a
Author:     Jimi Huotari <chiitoo@gentoo.org>
AuthorDate: 2020-08-20 12:03:19 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-22 18:52:22 +0000

    dev-qt/qtgui: fix CVE-2020-17507
    
    Upstream commit: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=1616c719
    
    Reported-by: John Helmert III (ajak) <jchelmert3@posteo.net>
    Bug: https://bugs.gentoo.org/736924
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Jimi Huotari <chiitoo@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/17183
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch  |  39 +++++
 dev-qt/qtgui/qtgui-5.14.2-r1.ebuild                | 185 +++++++++++++++++++++
 dev-qt/qtgui/qtgui-5.15.0-r1.ebuild                | 185 +++++++++++++++++++++
 3 files changed, 409 insertions(+)
Comment 5 John Helmert III (ajak) 2020-08-23 00:26:28 UTC
Thanks.
Comment 6 Sam James archtester gentoo-dev Security 2020-08-25 21:41:11 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-08-25 22:16:37 UTC
arm done
Comment 8 Sam James archtester gentoo-dev Security 2020-08-29 02:06:45 UTC
amd64 done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-29 02:07:26 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2020-08-29 03:28:19 UTC
ppc64 done
Comment 11 Sam James archtester gentoo-dev Security 2020-08-30 23:46:43 UTC
ppc done

all arches done
Comment 12 Sam James archtester gentoo-dev Security 2020-08-30 23:49:54 UTC
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-08-31 19:59:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b63131a033258484a470290415c50cde1e6c63d2

commit b63131a033258484a470290415c50cde1e6c63d2
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-08-31 19:58:21 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-08-31 19:58:44 +0000

    dev-qt/qtgui: Cleanup vulnerable 5.14.2 (r0)
    
    Bug: https://bugs.gentoo.org/736924
    Package-Manager: Portage-3.0.5, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtgui/qtgui-5.14.2.ebuild | 184 ---------------------------------------
 1 file changed, 184 deletions(-)
Comment 14 Thomas Deutschmann gentoo-dev Security 2020-09-13 22:34:56 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:39:43 UTC
This issue was resolved and addressed in
 GLSA 202009-04 at https://security.gentoo.org/glsa/202009-04
by GLSA coordinator Thomas Deutschmann (whissi).